At the outset, executives discussed the key issues around risk management in their business today:

Companies are very good at operational reporting, but not as good as risk reporting.

How do we improve the quality and consistency of risk reporting?

What is the right amount of information to provide the board?

How do you quantify your risk reporting?

What are the organizational, cultural and process issues associated with implementing a GRC solution?

What role should IT play in defining, architecting and managing the risk management function?

How do we as risk managers enable our business managers to make better risk decisions?

How should the risk management and audit functions collaborate?

The discussion started off on risk identification. The moderator articulated the problem as board members saying that they’re not seeing the right risks while management’s struggling to present succinctly a huge amount of information related to risk. One participant pointed out that it takes a long time to say something short.

Here are several of the key takeaways so far:

Developing the Initial Set of Risks

A couple companies talked about building up a set of risks accretively over the years, adding and deleting risks from the prior year based on the current year’s risk environment. Initially, the risks can be identified through brainstorming and/or process owners and the risks they manage.

Express Risks in Terms the Board can UnderstandOne insurance executive brought up the point that when reporting to the board, identified risks have to be expressed in terms that the board can understand relative to their notions of risk tolerance, e.g. impact on earnings per share. The board owns risk, but risk managers have to help board members understand the risk in the business. So what information does the board need? Managers need to report within the context of tolerance, something as simple as red, yellow, green. Companies need to be careful that reported risks don’t get “greener” as they move up the reporting chain to the board.

Pictures and Problems

One financial services executive discussed his company’s risk reporting as “Pictures and Problems”: What is the picture of the overall risk profile, and where are the problems (expressed in terms of risk tolerance). This gives the board both qualitative and quantitative ways to think about risk exposure.

What Does the Board Actually Believe?

The discussion turned to what does the board actually believe? A couple executives noted that board members are very skeptical of the traditional bottom up roll-up of risk. Participants agreed that this process results in a high degree of inaccuracy. One executive described their process of assessing risk at a mid-level. Then, risk is only quantified around those areas of concern. So, quantification is only at the risk level, not any aggregate. An insurance executive pointed out that companies are beginning to think about “notional exposures” – absolute value of the worst thing happening.

As a follow on to my previous post about the survey conducted at OPEN, we also learned something about companies’ GRC efforts.

Almost 90% said that their GRC spending would either increase or stay the same over the next year. During a time when IT spending overall is dropping, it’s important to note that spending in the risk management sector is holding up. We’ve blogged about this before, but we keep getting additional data that all point to the same conclusion: companies are not cutting back on risk management spending.

The answer to the next question may provide some insight as to why. We asked how companies would characterize the current state of their GRC management efforts: siloed, converged or coordinated. 73% said siloed, 27% coordinated. This mirrors almost exactly the responses from October 2008, which suggests that the road to convergence is not a short one.

We’re pleased to announce that OpenPages and Network Frontiers have partnered to deliver the Unified Compliance Framework (UCF) to the OpenPages customer base. The addition of the UCF content into the OpenPages IT governance solution – OpenPages ITG supports OpenPages’ goal of providing its customers with a holistic approach to managing IT risk and compliance.

The partnership provides strong synergies for our customer base of enterprise GRC professionals, many of whom are looking to OpenPages for IT risk and compliance management. Previewed at OPEN 2009 – the OpenPages European Network Summit recently held in London – the UCF data gives OpenPages customers access to the most comprehensive set of IT policies and controls that cross multiple regulations, thus reducing the time commitment and costs associated with complying with the slew of IT risk and compliance mandates nearly all companies are faced with today. In a survey conducted at OPEN 2009, 93% of organizations stated that within 2-3 years they are likely to converge or coordinate IT risk and compliance with GRC management.

The announcement was well received by industry experts including Michael Rasmussen, President of Corporate Integrity, a GRC strategy advisory firm:

“In today’s economy, wasting valuable resources on costly and time-consuming processes associated with compliance and risk management can be damaging to IT GRC programs. With the UCF enhancements to the OpenPages Platform offering, customers are given the tools to more quickly and effectively comply with a multitude of regulations and from there, can focus more attention on ensuring that their IT GRC programs are sustainable, repeatable and increase transparency across the enterprise.”

At last week’s OPEN — OpenPages European Network, we conducted a survey of attendees to get a better sense of what they thought about the impact of the financial crisis on the regulatory environment and their own approach to risk management. There were some interesting results, especially when compared with those from OPUS, held 11 months prior in October of 2008.

The first question asked whether or not we’ll see new laws and regulations over corporate risk management oversight within the next year. Just over 80% said they believed that we would see new laws and regulations within the next year. What’s interesting is that almost the same percentage said the same thing almost one year ago. The difference is that we’ve seen no new laws or regulations in the past year. In other words, the expectation of regulatory reform is clearly stronger than the reality. Obama’s focus on healthcare, the EU’s debate over various reg reform proposals, and the general resistance to change are all contributing to a lengthening of the reg reform process.

Our second question asked whether the financial and credit crisis has influenced your company’s thinking and approach to risk management. 62% said yes. Eleven months ago only 46% said yes. The difference here speaks to what companies have found over the last year that suggest a revamping of their approach to risk management. Frankly, I am surprised that the number is not higher. Clearly, we all learned that very smart people can make bad decisions–isn’t that something that companies should want to control for?

If you’re in Hong Kong this week for the 36th annual Sibos, don’t miss OpenPages – a featured business partner in the IBM booth.

Facilitated and organized by OpenPages customer SWIFT, for the SWIFT community, Sibos brings together the financial industry in a unique forum to meet, discuss, learn and keep in touch with what is going on in the industry.

Hosted by Barclays, this year’s OPEN (OpenPages European Network) Summit promises to be the best yet with a jammed-packed agenda including real-world case studies from OpenPages customer executives at Allianz, Barclays, Lloyds, ORX and Swiss Re. Joining them will be executives and product experts from OpenPages who will share the latest OpenPages product developments and review OpenPages investments and rapid customer adoption in EMEA.

If you’re unable to make it, check back for a recap of the event in the following week. Otherwise, we look forward to seeing you at Canary Wharf in London!

How effective is your organization at identifying and managing IT risks? Does your organization think of IT risk only in terms of avoidance or compliance, or does it use risk management to improve the effectiveness and value of IT?

If you’ll complete this short, 5 minute survey on IT risk management, we’ll send you a complimentary copy of the final report so you can compare your organization’s IT risk maturity to your peers.

Understand the entity’s risk philosophy and concur with the entity’s risk appetite

Know the extent to which management has established effective enterprise risk management of the organization

Review the entity’s portfolio of risk and consider it against the entity’s risk appetite

Be apprised of the most significant risks and whether management is responding appropriately

The last area is one that cruise line leader Carnival Corporation has taken to heart. In a recent interview with Erik Krell from Business Finance, Carnival’s vice president and chief audit executive Richard Brilliant explained how his team “has done a phenomenal job in developing a framework that enables us to provide risk reporting to the board that they never had before. The reporting not only allows directors to understand how risks are mitigated, but also provides ongoing risk monitoring as well as tracking of action plans for improvements.”

Brilliant says that presenting new, precise information to the board about the company’s overall ability to manage governance, risk, and compliance issues has really improved the dialogue about how the company could better respond to risk in the business. Further, Brilliant notes, “the board can also more clearly see over time how things have improved.”

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.